Is it possible to parse and store a field as an array of objects in Elasticsearch?

My logline would look like this

2018-03-09 16:12:20,315 INFO [com.sample.teste.TestClass] (https-express.sample.com-433-8) {my-name-1=my-value-1, my-name-2=my-value-2} Testing logger

And I have pipeline config as

filter {
    grok {
             match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} *\[%{JAVACLASS:logger}\] \(%{GREEDYDATA:thread}\) \{%{GREEDYDATA:mdc}\} %{GREEDYDATA:message}"}
        overwrite => [ "message" ]
        }
    mutate {
        split => { "mdc" => "," }
    }
}

And the output of that field in elasticsearch is

"mdc": [
      "my-name-1=my-value-1",
      " my-name-2=my-value-2"
    ],

Is it possible to parse and store this field as an array of objects instead? Like this

  "mdc": [
    {
        "name": "my-name-1",
        "value": "my-value-1"
    },
    {
        "name": "my-name-2",
        "value": "my-value-2"
    }
]

Yes, but you'll need to specify the Nested type in your index mapping (or mapping template) before the index is allowed to auto-create the fields in an index.

Thanks for your time @yaauie. I will try this and get back.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.